You are here

Have You Been Hacked?

28 May 2003

The guidelines presented in this document provide a basic overview of steps that can be used in adopting basic but effective incident handling procedures. Anticipating scenarios before they happen, and deciding how to handle them can minimize service disruptions while increasing the probability of catching those responsible.

DO

1. Prepare in advance

All too often, the unprepared victim of a system compromise will instinctively panic and attempt to do whatever he or she feels necessary to stop the intrusion or repair the system. By implementing incident handling procedures, an organization can ensure that support staff handles an incident in an adequate and efficient manner. It is important to note that these guidelines may not meet the needs of all organizations, and should be considered a basic outline of a set of incident handling procedures. It is often helpful to consult with a security specialist to help determine your needs.

2. Limit system activity

When a system is suspected of having been compromised, an important objective that must be followed regardless of circumstance is to ensure that the state of the system remains as unchanged as possible. By isolating access and the actions performed, the potential for accidentally damaging the system or affecting the crime environment is greatly reduced.

3. Verify the incident

Verifying that an incident has occurred is a key factor in minimizing service disruptions. This can generally be achieved by looking at log files produced by the system, a firewall or an intrusion detection system, by examining network traffic at the router level, or by examining the system for anything seeming out of the ordinary. Keeping in mind that every action performed can contaminate evidence, incident verification should be performed in as few steps as possible. Depending on the value of the data on the system and the experience of support staff, it may be prudent to skip immediately to the next step.

4. Unplug the system from the network

Unplugging the system from the network will prevent an intruder from performing any additional actions, and assist in limiting activity on the system. When possible, immediately plug the system into a small hub that is not connected to anything else, as this will aid in preventing log files from filling up with messages that the network is unplugged.

5. Call an incident analyst

A computer security expert specializing in incident response can assess the situation by collecting evidence and determining how the intrusion occurred. These investigators are knowledgeable in many aspects of criminal activity, and are capable of building a much stronger case against an intruder than regular support staff would be.

6. Think before acting

Never panic. Think before you act. When in doubt, ask questions. Your organization’s incident handling procedures will describe a set of steps that allow you to deal with the crisis in a professional, structured manner. Should the event require corresponding with the intruder, especially for negotiation purposes, always consult with a specialist and form a strategy before responding.

DON’T

1. Do not power down the system

Powering the system down is highly damaging to effective analysis of the break-in. When a system is turned off, it loses all evidence of running processes and its memory contents. Unless absolutely necessary, this should never be done following an intrusion.

2. Do not use the system more than necessary

To reinforce a previous point, it is vital that the state of the system remain as unchanged as possible following an intrusion. Creating, editing or removing files stored on the hard disk drive, or running any programs can be especially damaging to evidence and compromise the ability to recover lost data. Everything you do may be damaging, and so can not doing anything. Follow the steps described in your incident handling procedures.

3. Do not attempt to handle the incident personally

Without adequate training and experience, no one is prepared to handle an incident. Attempting to do so will only contaminate evidence and eliminate the chance of a quick recovery. A qualified security expert will be prepared to answer any questions you may have and is the only person who should conduct an investigation. And remember: when in doubt, ask questions!

IGSN (Interactive Gaming Security Network) provides an Incident Response Service. If you have been the victim of malicious activity or suspect that your system has been compromised, contact our specialists immediately. Our qualified security analysts have experience in dealing with these situations and will help walk you through the process.

We can be reached day or night at 888-408-2200 or 415-462-1781 www.igsn.com.